CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
What the vulnerability does
The Invoct – PDF Invoices & Billing for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve invoice clients, invoice items, and list of WordPress users along with their emails.
Explanation of Vulnerability in Simple Terms
The Invoct plugin for WooCommerce does not properly check user permissions before allowing access to certain functions. A logged-in user with low privileges can read sensitive invoice data they should not have access to. The vulnerability affects versions 1.6 and earlier. Update to a version newer than 1.6 to resolve this issue.
What an attacker can do
Read invoice data belonging to other users or orders.
Potential impact on your site
Customer invoice information may be exposed to other logged-in users, risking privacy violations.
Conditions required to exploit
Attacker must be logged in to the WordPress site with a low-privilege account (e.g., customer).
Key dates
External resources
Related vulnerabilities
